Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

12 Simple Cybersecurity Rules For Your Small Business

James Cannady, Ph.D., Professor at Nova Southeastern University's Graduate School of Computer and Information Sciences will present on "12 Simple Cybersecurity Rules For Your Small Business."

In this online presentation twelve simple and inexpensive techniques for protecting small businesses from cyber threats will be discussed. While complex and expensive solutions exist to improve the security of information technology most of these products are not designed for the specific needs of small businesses. The techniques that will be discussed in the presentation are designed to address the most common threats encountered by small businesses without requiring significant expertise and expense.

12 Simple Cybersecurity Rules For Your Small Business

1.
12
Simple
Cybersecurity
Rules
for
Your
Small
Business
James
Cannady,
Ph.D.

2.
Purpose
of
this
presenta@on
• Small
businesses
form
the
founda@on
of
our
economy.
Their
need
for
informa@on
security
is
as
great
as
a
mul@-­‐na@onal
business,
but
they
usually
do
not
have
the
resources
to
dedicate
to
protec@ng
their
systems.
• Security
does
not
have
to
be
as
complicated
(or
expensive)
as
it
may
seem
• The
following
rules
are
designed
to
serve
as
guidelines
for
small
businesses
as
they
consider
op@ons
for
securing
their
computer
resources.

4.
Concentrate
on
the
Business
• Security
is
a
support
func@on
for
the
business.
It
is
not
“the”
business.
• Choose
security
technologies
and
techniques
that
support
and
enable
the
business
• Avoid
changing
the
business
to
accommodate
security
products
(there
are
lot’s
of
op@ons)
2

7.
What
do
you
need?
• There
are
a
variety
of
available
security
technologies
• Price/availability/interoperability
must
all
be
considered
• Some@mes
doing
nothing
is
OK
• Defense
in
Depth
as
a
strategy
for
a
secure
infrastructure

8.
What
do
you
need?
• Security
is
cumula@ve
• No
single
solu@on
• “We
have
a
ﬁrewall!!!”
• Examine
cost/beneﬁt
of
each
approach
vs.
cost
of
security
incidents
• Focus
ﬁrst
on
biggest
vulnerabili@es
• Get
what
you
need,
but
no
more.
3

10.
Security
is
more
than
technology
• Employee
awareness
of
need
for
security
– Formal
training
vs
teaching
moments
• Opera@ons
Security
– The
whole
point
of
opera@ons
security
is
to
have
a
set
of
opera@onal
(daily,
habit
ingrained)
prac@ces
that
make
it
harder
for
another
group
to
compile
cri@cal
informa@on.

12.
It’s
Your
Security
• Not
everything
can
be
done
in-­‐house
– You
will
have
to
buy
at
least
some
commercial
products
– You
may
need
to
bring
in
outside
consultants
• Make
sure
that
all
security
components
are
well
documented
– Conﬁgura@on,
installa@on,
etc.
– Changes
will
need
to
be
made
eventually
• Be
careful
with
faculty
defaults
– Easier
for
remote
tech
services,
but
poten@al
vulnerabili@es

20.
Access
Control
• System
administra@on
is
a
one
person
job
– Only
one
person
needs
to
be
able
to
have
full
control
over
the
system
(backup
sysadmin
ok,
but
no
more)
• The
crown
jewels
of
the
business
need
to
be
limited
to
speciﬁc
personnel
– How?
• Password-­‐protected
ﬁles
• Separate
computers
for
sensi@ve
data
4

22.
Secure
Your
Wi-­‐Fi
• Almost
every
business
has
one.
• They
are
easy
to
ﬁnd
and
easy
to
exploit,
especially
if
simple
secure
measures
are
not
used
• Current
encryp@on
standards
for
WIFI
are
not
par@cularly
strong,
but
it
is
usually
enough
to
dissuade
the
bad
guys,
especially
since
there
are
almost
certainly
unsecured
WiFi’s
nearby
1

26.
Physical
Security
• Physical
security
is
as
important
as
any
other
form
of
informa@on
security
• Computers
should
not
be
accessible
by
unauthorized
users
Servers
should
be
guarded
•
with
suﬃcient
care
to
protect
the
data
they
contain.
• Challenge
strangers
8

28.
There
is
no
panacea
Security
is
the
process
of
enabling
the
protected
informa@on
system
to
do
what
it
was
designed
to
do.
Nothing
more,
nothing
less.
You
will
not
have
perfect
security,
no
maner
how
much
money
you
are
able
to
spend
…but
it
doesn’t
have
to
be
perfect.
7

29.
Take
Home
Points
• Security
is
not
the
business,
it
supports
the
business
• Decide
what
you
need,
don’t
rely
on
a
vendor
to
tell
you
what
you
need
• There
are
a
variety
of
inexpensive
(or
free)
approaches
to
security
that
provide
excellent
protec@on
• Physical
security
is
at
least
as
important
as
any
other
form
of
protec@on
• Don’t
strive
for
perfect
security.
You
only
need
to
secure
enough
that
its
not
worth
the
eﬀort
required
of
the
bad
guys

30.
James
Cannady,
Ph.D.
Graduate
School
of
Computer
and
Informa@on
Sciences
Nova
Southeastern
University
cannady@nova.edu